Reasen 18

Reasen
18

Improved version of my previous CrackMe, LostIt resolved the CrackMe adding a new section in the executable that redirects the address from where bytes of the functions are read to be able to edit the original function, now for creating the itself-key for decrypting those 2 variables (cracked or not cracked), is needed the pointer address from where it comes, also the function from where checks itself are itself checked to make the key, so his method is no longer valid, good luck to all and have fun!

The objetive of this CrackMe is get the good boy message and not a "mal-decrypted" one.

Edit: For no waste much time, Address of the button function:
005C8800 . 55 PUSH EBP

Reasen 18

Reasen
18

Well you edited the location of the string from where read the string from the condition,
was not all i wanted, i wanted to see how would be posible bypass the itself check but i need to take this valid i think.

will do a improved version with that issue fixed for avoid more confusions in the objetive of the crackme. (Difficulty was +5 for some reason uh)

Share this post

Link to post

0xNOP 61

0xNOP
61

Well you edited the location of the string from where read the string from the condition,
was not all i wanted, i wanted to see how would be posible bypass the itself check but i need to take this valid i think.

will do a improved version with that issue fixed for avoid more confusions in the objetive of the crackme. (Difficulty was +5 for some reason uh)

Alright, sorry for the misunderstanding as you mentioned you only wanted the Reverse engineer to get to the Good Boy message, again, will be waiting eagerly for the improved version.

Share this post

Link to post

camilo 8

camilo
8

Just having a look at the code and trying the CC breakpoint on the button function revealed the function itself should be unpatchable, so why not make a tunelling (codecave) in the function called before the JNZ that decides good or bad boy???

After tracing that function a bit from the start of the program was clear the spot to insert the tunel in.

First time stopped after return from this call, so EIP was in the first JNZ, letting the program flow run on its way showed the conditional jmp will be taken, so i decided to put EIP after some bytes efectively bypassing the two JNZ, and the result was good boy

Now the trick to automate it by patching.... Follow the previous call to see what is going on.

Magic is self explanatory, save flags cause i will mess with them, check the magic was called from the button pressed function based on the return address, and on positive result simply add 6 bytes (the JNZ code we bypassed in the first run to get good boy) to the return address on stack, so we return directly to goodboy, if return address not match the desired one restore flags, make ECX stuff and return to the hooked function.